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SECURE MODE CONTROLLED MEMORY 

Technical Field of the Invention 

The present invention relates to a method of enhancing 
program code security, which program code is to be executed 
in an electronic device comprising a secure execution envi- 
5 ronment to which access is restricted, a system for enhanc- 
ing program code security, which program code is to be exe- 
cuted in an electronic device comprising a secure execution 
environment to which access is restricted, a mobile communi- 
cation terminal comprising the system, a programmable logic 

10 device comprising the system, a computer program comprising 
computer-executable components for causing a device to per- 
form the steps recited in any one of the method claims and a 
computer -readable medium storing computer-executable compo- 
nents for causing a device to perform the steps recited in 

15 any one of the method claims. 

Background Art 

Various electronic devices, e.g. mobile telecommuni- 
cation terminals, portable computers and PDAs, require ac- 

2 0 cess to security related components such as application pro- 
grams, cryptographic keys, cryptographic key data material, 
intermediate cryptographic calculation results, passwords, 
authentication means for externally downloaded data etc. 
Typically, it is necessary that these components, and the 

25 processing of them, is kept secret within the electronic de- 
vice. Ideally, they shall be known by as few people as pos- 
sible since a device possibly can be tampered with if its 
security related components are known. Access to these types 
of components might aid an attacker which has a malicious 

30 intent to manipulate a terminal. 

Therefore, a secure execution environment is introduced 
in which environment a processor within the electronic de- 
vice is able to access the security related components. Ac- 
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cess to the secure execution environment, processing in it 
and exit from it should be carefully restricted. Prior art 
hardware comprising this secure environment is often en- 
closed within tamper resistant packaging. It should not be 
5 possible to probe or perform measurements and tests on this 
type of hardware which could result in the revealing of se- 
curity related components and the processing of them. 

The device architecture described hereinabove is not 
perfectly resistant to security attacks. It is, for example, 

10 desirable to offer enhanced protection against attackers of 
software that executes outside the secure execution environ- 
ment. When the operating system of a device is booted, it is 
relatively simple to ensure that the proper software is 
started, since specifically developed protected application 

15 software is employed for these and other purposes, and the 
execution of these protected applications is strictly con- 
trolled. However, during subsequent execution, an attacker 
may make attempts to modify "normal" software application 
using various methods, and possible modifications of any 

2 0 software executing in the device should be prevented. 

Protection of data and program code is highly desir- 
able, since a malicious person may try to access sensitive 
data in the device in case this person is given access to 
the device, for example by stealing it. It may also be the 
25 case that a Digital Rights Management (DRM) system is imple- 
mented in the device. This DRM system stores copyright pro- 
tected contents and associated digital rights that determine 
what type of access a user has to the content. The DRM sys- 
tem is thus used to protect the content from being accessed 

3 0 by an unauthorized user, misused and/or wrongly distributed. 

Since the contents and the rights have an economical value, 
the user may become tempted to try to access the contents by 
bypassing DRM control functions. Clearly, many different 
scenarios can be envisaged in which an attacker may attempt 
3 5 to manipulate a device. 
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A typical attack made is an attack referred to as the 
"modif ied-chip attack". In the modified- chip ("mod-chip") 
attack, an attacker attaches a small chip into the target 
device architecture. The mod-chip then modifies signals 
5 and/or data in the device architecture to manipulate the de- 
vice. The complexity of mod-chips covers a broad range, from 
designs containing a simple microprocessor and associated 
software to highly complex designs incorporating field pro- 
grammable gate arrays (FPGA) containing thousands of logic 

10 gates. Given an unlimited amount of time and sophisticated 
hardware/software, a skilled attacker may crack just about 
any system, and it may in practice be very difficult to se- 
cure a system against such brute force attacks. However, an 
acceptable security level of a system is, in most cases, a 

15 level where the security measures that are taken prevents an 
attacker from cracking the system, due to the fact that the 
required complexity of the mod- chips makes the design and 
production of the mod-chips prohibitively expensive. Thus, 
even though it may be virtually impossible to secure systems 

2 0 against brute force attacks which utilize highly sophisti- 
cated hardware/software, the systems shall be resistant to 
attacks which use less complex and hence less expensive mod- 
chips . 

In the prior art, typical measures that have been taken 

2 5 to secure systems or devices include, for example, to impede 

access to system/ device buses. Program code should be pro- 
tected both during execution and when the code is stored in 
system memory. However, problems relating to device security 
still remains. 

30 

Summary of the Invention 

It is an object of the present invention to mitigate 
the problems set out above, and to provide for a secure sys- 
tem that offers enhanced protection against attackers of 

3 5 software that executes outside the secure execution environ- 

ment . 
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This object is attained by a method of enhancing data 
security, which data is to be executed in an electronic de- 
vice comprising a secure execution environment to which ac- 
cess is restricted, the method comprising the steps of: 
5 generating, in said secure execution environment, a new se- 
cret key repeatedly; verifying, in said secure execution en- 
vironment, the integrity of data to be written into storage; 
encrypting, in said secure execution environment, the data 
by means of said new secret key; and writing the encrypted 

10 data into storage. 

The object is also attained by a system for enhancing 
data security, which data is to be executed in an electronic 
device comprising a secure execution environment to which 
access is restricted, which system comprises: means ar- 

15 ranged to generate, in said secure execution environment, a 
new secret key in said secure execution environment repeat- 
edly; means arranged to verify, in said secure execution en- 
vironment, the integrity of data to be written into storage; 
means arranged to encrypt, in said secure execution environ - 

2 0 ment, the data by means of said new secret key; and means 
arranged to write the encrypted program code into storage . 

The object is still further attained by a mobile tele- 
communications terminal, a programmable logic device, a com- 
puter program and a computer- readable medium employing the 

2 5 above-described system. 

A basic idea of the present invention is that, at de- 
vice boot when the device is started, data is copied from 
permanent memory - e.g. NAND flash memory - to temporary 
memory - e.g. RAM - from which temporary memory the data 

3 0 subsequently is executed. Typically, the data consists of 

program code. The integrity of this program code must be 
verified to ensure that the program code has not been al- 
tered during the transmission from the NAND to the RAM. This 
type of security critical operations is performed by the de- 
3 5 vice processor in the secure execution environment. Note 

that NAND memory is always considered external memory, i.e. 
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located outside the device, whereas the RAM mainly is lo- 
cated outside the device, but there is also a smaller amount 
of RAM located inside the device, i.e. internal memory. 

Further, at device boot or during runtime, a new secret 
5 key is generated in the secure execution environment. This 
new secret key is used by the device processor to encrypt, 
when the secure operation mode of the processor is set, the 
data to be stored in the (external) RAM in order to provide 
confidentiality, i.e. to ensure that the data is kept secret 

10 during the transmission. The device processor thereafter 

writes the encrypted data into the RAM . Note that encryption 
of data/program code is of greater importance if the 
data/program code is to be stored in external RAM than if it 
is to be stored in internal RAM, as the internal RAM itself 

15 is regarded as relatively secure due to the fact that it is 
located within the device. However, if a high level of secu- 
rity is required, encryption of data/program code to be 
stored in internal RAM may also be performed. 

The present invention is advantageous, since if an at- 

20 tacker wants to modify the code stored in the RAM, the at- 
tacker will have to procure the secret key such that the en- 
crypted program code can be decrypted. If the program code 
is in the clear, the attacker may modify the code to manipu- 
late the device. The attacker may also modify encrypted 

25 code, but these modifications would have a rather arbitrary 
effect, and do not have the effect that the device can be 
manipulated in a predictable manner. Since the access to the 
secure execution environment of the device, in which secure 
environment the secret key is stored, is heavily restricted, 

3 0 an attacker will have to cryptoanalyze the program code to 

procure the key. When a new boot sequence is undertaken, the 
above procedure is repeated. This has the effect that, when 
the device is booted, a new secret key is generated and used 
to encrypt the program code, which makes cryptoanalysis even 

35 more difficult due to the fact that the encryption key re- 
peatedly is changed. 
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Another great advantage of the present invention is 
that less strong algorithms employed during runtime are com- 
pensated for. While strong encrypt ion/integrity mechanisms 
can be used in permanent storage, they generally cannot be 
5 used at runtime. When doing one-time bulk accesses to perma- 
nent memory, thus reading a large amount of data or program 
code, there is only a small performance penalty with regard 
to data integrity checking. But in runtime, the algorithms 
that are used are weaker, as they may not delay execution 

10 and thereby create unacceptable latency. As a result, fre- 
quent key changes are applied in order to compensate for the 
runtime algorithms . 

The generation of a new secret key may be performed at 
every new boot, but it may also be sufficient to generate a 

15 new key at randomly chosen boot sequences, or regularly cho- 
sen boot sequences where the term "regularly" does not nec- 
essary imply that a new key is generated at every new boot 
sequence. This is a trade-off between security on the one 
hand, and the processing required to generate new keys on 

2 0 the other. Each generated key shall be new as compared to 
the previously generated key, and ideally a generated new 
key is random compared to any other previously generated 
key. As an alternative - or complement - to generating a new 
secret key at boot, keys can be generated in runtime. In 

2 5 that case, a new key should be generated before a possible 

attacker has had time to gather the amount of data (or per- 
form a sufficient number of calculations) required to break 
the secret key. Runtime key changes may be arranged such 
that a part of the "old" key is changed until the complete 

3 0 old key gradually has been replaced by a new key. 

According to an embodiment of the invention, the pro- 
gram code must also be authenticated in the secure execution 
environment, so that the device is ensured that the program 
code originates from a trusted code provider. If authentica- 
35 tion is not performed, a mod-chip attacker may supply the 
device with program code that already has been modified, 
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i.e. the attacker may perform pre-boot modification of the 
program code . 

According to another embodiment of the invention, the 
address of the memory location to which encrypted data is to 
5 be written is combined with the new secret key. For example, 
the numerical value of the address location in address space 
is concatenated to (or in some other appropriate manner com- 
bined with) the new secret key, and the resulting concatena- 
tion is used to encrypt said data, before said encrypted 

10 data is written into storage. Hence, the encrypted data be- 
comes associated with the address at which the encrypted 
data is stored. 

This embodiment is advantageous, e.g. if an attacker 
mounts a so called chosen plaintext attack, in which the at- 

15 tacker defines his/her own plaintext, feeds it to the en- 
cryption hardware and makes an analysis of the resulting ci- 
phertext . This attack may be mounted when fixed program code 
is compared with (modified) program code that the attacker 
has chosen, but is difficult to implement in practice. How- 

20 ever, this attack may also be mounted when both program code 
and data are encrypted. Even though the program code is 
fixed, data changes continuously, and the attacker may con- 
sequently be given access to several different data sets 
that are encrypted (in the same address location) with the 

25 same key, making cryptoanalysis possible. By using the here- 
inabove described concatenation to encrypt data and/or pro- 
gram code to be written into memory, the encryption key, 
i.e. the concatenation, will differ for each address loca- 
tion. This greatly impedes cryptoanalysis. 

3 0 According to yet another embodiment of the present in- 

vention, a plurality of new secret keys is generated at de- 
vice boot, wherein each new secret key is used to encrypt a 
respective subset of the program code. Hence, different se- 
cret keys may be used to encrypt different parts of the pro- 

35 gram code. Consequently, different parts of the temporary 

storage area, i.e. the RAM, may hold program code encrypted 



Express Mail No. EV435647516US 



7 



PATENT 

Attorney Docket No. ,915-008.021 

with different keys, making cryptoanalysis of the program 
code even more difficult. 

According to still another embodiment of the present 
invention, address locations are permuted in address space 
5 at boot. This permutation, or reordering, makes it difficult 
for an attacker to know where a specific address is located 
in address space. For example, the address located at posi- 
tion number 1024 in address space is, at reboot, mapped to 
address location number 2048. At a further reboot, the ad- 

10 dress is mapped to position number 512, etc. This impedes 
attacks on the system. 

According to other embodiments of the present inven- 
tion, redundancy in the form of integrity data is employed. 
The use of integrity data such as checksums, message authen- 

15 tication codes (MAC) or other types of message integrity 

codes is well known. Storing integrity codes is expensive, 
as it requires additional memory. Thus, their use is pref- 
erably limited to security critical code, like protected ap- 
plications . 

2 0 As the storing of integrity codes is expensive, the 

number of bits that form the code should be small. However, 
the smaller the number of bits, the smaller the probability 
of detecting individual tampering. Assume that external mem- 
ory is accessed in groups of 32-bit words. If a one-bit 

25 checksum is added to each 32-bit word, the probability that 
someone would guess the correct value of the one-bit check- 
sum is 50%. If a two-bit checksum is added to each 32-bit 
word, the probability that someone would guess the correct 
value of the two-bit checksum is 25%, and so on. In one em- 

30 bodiment of the present invention, a cryptographic checksum, 
i.e. a MAC, is employed. The MAC is calculated as a function 
of the data for which integrity is to be provided and an in- 
tegrity check key. This integrity check key comprises the 
new secret key, or possibly new secret keys, that were dis- 

35 cussed hereinabove. In the invention, a relatively small 
number of bits may be used in the MAC, as the integrity 
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check key changes in every boot. Hence, trial tampering must 
be done again at each boot (i.e. whenever the integrity 
check key is changed) . 

If a plurality of new secret keys is generated at de- 
5 vice boot, integrity data may be calculated using different 
keys for different memory locations, so that the content at 
the respective memory location may not be swapped for a con- 
tent at another memory location. 

When data or program code is written into .the RAM, the 

10 associated MAC is written into integrity protection 

storage, which preferably is located inside the device, but 
the MAC could also be stored in external memory. Use of ex- 
ternal or internal memory is a compromise between cost, per- 
formance and security. The internal memory of the device, 

15 which may be implemented in the form of e.g. an ASIC (Appli- 
cation Specific Integrated Circuit) , an FPGA, a CPLD (Com- 
plex Programmable Logic Device) or some other type of pro- 
grammable hardware, is fast and secure but comparatively ex- 
pensive. On the other hand, since external memory is less 

2 0 expensive, wider integrity codes may be stored, which in- 
creases security. In practice, a combination of internal and 
external memory will be employed for storing the integrity 
codes . 

When the program code is to be executed, the device 

2 5 reads it from the RAM. The device verifies the correctness 

of the MAC, i.e. it is checked that the program code has not 
been modified. If an incorrect MAC is found, the device 
should stop operation to prevent a possibly modified program 
code from running. 

3 0 According to yet another embodiment of the invention, 

the device processor can be set in one of at least two dif- 
ferent operating modes. In the device, storage circuitry are 
arranged with at least one storage area in which protected 
data relating to device security are located. The processor 
3 5 is given access to the storage area when a secure processor 
operating mode is set, and is denied access to said storage 
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area when a normal processor operating mode is set. The fact 
that the processor and the application it is executing is, 
or is not, given access to the storage area is what defines 
the actual operating modes. 
5 The accessing of the storage area in the storage cir- 

cuitry defines the secure operation mode of the processor. 
The storage areas that the processor can access while oper- 
ating in the secure execution mode is referred to as the se- 
cure execution environment. As previously mentioned, these 

10 storage areas contain security related components such as 

application programs, cryptographic keys, cryptographic key 
data material, intermediate cryptographic calculation re- 
sults, passwords, authentication means for externally down- 
loaded data etc. In the secure execution mode, the processor 

15 is capable of accessing the security components. This is im- 
portant, and highly advantageous, since the security re- 
strictions imposed on the device in the normal, unsecure 
processing mode are severe . 

Ideally, only so called protected applications, which 

20 typically are small-size applications for performing secu- 
rity critical operations inside the secure execution envi- 
ronment, are allowed to handle secret cryptographic keys. 
Protected applications are applications that may be issued 
by trusted providers, in which case they must be authenti- 

25 cated, but they may also be issued by any third party, re- 
gardless of whether this third party is trusted or not . In 
the latter case, no authentication occurs. It must be deter- 
mined from the particular context whether the protected ap- 
plication must be issued by a trusted provider or not. Gen- 

3 0 erally, applications that are arranged in such a way that 
they have, or are given, the power to jeopardize the secu- 
rity of the device should be trusted. 

Protected applications may be regarded as a part of a 
normal application executing outside the secure environment. 

35 Protected applications may also comprise applications em- 
ployed to implement standard functionality in the device. 
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For example, protected applications are utilized for booting 
the device and loading an operating system into it. It is 
desirable that not even the device user, even though she 
cannot be considered to be an unauthorized third party, is 
5 given access to the secret cryptographic keys. Possibly, a 
DRM system is implemented in the device, and since the digi- 
tal contents - and the associated digital rights - which are 
rendered by means of the DRM system, have an economical 
value, the user may try to access the contents by bypassing 
10 DRM control functions. Of course, there may be other reasons 
why a user should not be given access to the keys; the gen- 
eral security aspect must for example be taken into consid- 
eration . 

In normal device operation mode, the device processor 

15 does not have access to security related data located within 
the secure environment. The security data includes crypto- 
graphic keys and algorithms, software for booting the cir- 
cuitry, secret data such as random numbers used as crypto- 
graphic key material, application programs etc. Access to 

2 0 these security data and the processing of it is restricted. 

When testing and/or debugging the device, which typically is 
located in a mobile communication terminal, access to the 
security related data is not allowed. For this reason, the 
processor is placed in the normal, or "unsecure" , operating 

2 5 mode, in which mode it is no longer given access to the pro- 
tected data within the secure environment. 

Further features of, and advantages with, the present 
invention will become apparent when studying the appended 
claims and the following description. Those skilled in the 

30 art realize that different features of the present invention 
can be combined to create embodiments other than those de- 
scribed in the following. 

Brief Description of the Drawings 

35 The present invention will be described in greater de- 

tail with reference to the following drawings, in which: 
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Fig. 1 shows a schematic diagram of a device architec- 
ture for providing data security in which architecture the 
present invention advantageously can be applied ,- 

Fig. 2 shows a schematic diagram of the device archi- 
5 tecture for providing data security, further arranged with a 
removable smart card, in which architecture the present in- 
vention advantageously can be applied; 

Fig. 3 shows a flowchart of the procedure followed at 
boot of the device according to an embodiment of the present 
10 invention; 

Fig. 4 shows a flowchart of the procedure followed at 
boot of the device according to another embodiment of the 
present invent ion ; 

Fig. 5 shows a flowchart of the procedure of providing 
15 program code with a message authentication code according to 
an embodiment of the present invention; and 

Fig. 6 shows a flowchart of the procedure of verifying 
correctness of a message authentication code according to an 
embodiment of the present invention. 

20 

Description of Preferred Embodiments of the Invention 

A device architecture for providing data security is 
shown in Fig. 1. Such a system is further disclosed in the 
Applicant's international patent application publication 

25 WO2004/015553 , which application is incorporated herein by 
reference. Circuitry for providing data security is imple- 
mented in the form of an ASIC 101. The processing part of 
the architecture contains a CPU 103 and a digital signal 
processor (DSP) 102. The ASIC 101, is included in an elec- 

30 tronic appliance 100 such as a mobile telecommunication ter- 
minal, a portable computer, a PDA etc. and is considered to 
be the "brain" of the appliance 100. 

The secure environment 104 comprises a ROM 105 from 
which the ASIC 101 is booted. This ROM 105 contains boot ap- 

35 plication software and an operating system. Certain applica- 
tion programs residing in the secure environment 104 has 
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precedence over other application programs. In a mobile 
telecommunication terminal, in which the ASIC 101 can be ar- 
ranged, a boot software should exist, which software in- 
cludes the main functionality of the terminal. It is not 
5 possible to boot the terminal to normal operating mode with- 
out this software. This has the advantage that by control- 
ling this boot software, it is also possible to control the 
initial activation of each terminal. 

The secure environment 104 also comprises RAM 106 for 

10 storage of data and applications, i.e. protected data. The 
RAM 106 preferably stores so called protected applications, 
which are smaller size applications for performing security 
critical operations inside the secure environment 104, but 
also objects such as cryptographic keys, intermediate cryp- 

15 tographic calculation results and passwords. Generally, the 
way to employ protected applications is to let normal appli- 
cations request services from a certain protected applica- 
tion. New protected applications can be downloaded into the 
secure environment 104 at any time, which would not be the 

2 0 case if they would reside in ROM. Secure environment 104 

software controls the downloading and execution of protected 
applications. The protected applications can access any of 
the resources in the secure environment 104 and they can 
also communicate with normal applications for the provision 
25 of security services. 

In the secure environment 104, a fuse memory 107 is 
comprised containing a unique random number that is gene- 
rated and programmed into the ASIC 101 during manufacturing. 
This random number is used as the identity of the specific 

3 0 ASIC 101 and is further employed to derive keys for crypto- 

graphic operations. Further, storage circuit access control 
means in the form of a security control register is arranged 
in the secure environment 104 . The purpose of the security 
control register is to give the CPU 103 access to the secure 
35 environment 104, or preventing the CPU 103 from accessing 

the secure environment 104, depending on the mode set in the 
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register. Operating modes for the CPU 103 can be set in the 
register by application software, resulting in the fact that 
the architecture does not have to rely on external signals. 
From a security viewpoint, this is preferable since by con- 
5 trolling the application software, the setting of processor 
modes can also be controlled. It is also possible to have an 
external signal (not shown) connected to the ASIC 101, by 
which signal it is possible to set the security control reg- 
ister. By using an external signal, a mode change can be 
10 executed easy and fast, which can be advantageous in test 

environments. A combination of these two mode setting means, 
i.e. application software as well as external signals, is 
feasible . 

The architecture further comprises a standard bridge 
15 circuit 109 for limitation of data visibility on the bus 

108. The architecture should be enclosed within a tamper re- 
sistant packaging. It should not be possible to probe or 
perform measurements and tests on this type of hardware 
which could result in the revealing of security related com- 

2 0 ponents and the processing of them. The DSP 102 and the CPU 

103 has access to other peripherals 110, 112 such as a di- 
rect memory access (DMA) unit, RAMs, flash memories, and ad- 
ditional processors can be provided outside the ASIC 101. In 
the specific embodiments of the present invention, the pe- 
25 ripherals 110, 112 are represented by a temporary memory 

(e.g. a RAM) and a permanent memory (e.g. a NAND flash mem- 
ory) , respectively. 

Another embodiment of the device architecture for pro- 
viding data security is shown in Fig. 2, wherein correspond- 

3 0 ing reference numerals denote corresponding elements as de- 

scribed in connection to Fig. 1. The difference in the ar- 
chitecture shown in Fig. 2, as compared to the architecture 
illustrated in Fig. 1, is that the electronic appliance 200 
is arranged with a removable smart card 211, for example a 
35 SIM, which also may be considered to be a secure environ- 
ment. For security purposes, the mobile terminal 200 and the 
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smart card 211 stores digital certificates issued by trusted 
certification authorities (CAs) . Certificates are used to 
ensure actors communicating with the mobile terminal 200 
and/or the smart card 211 that the holder of a specific cer- 
5 tificate has been authorized by the corresponding trusted 

CA. The CA signs the certificate, and the certificate holder 
must be in possession of the public key that corresponds to 
the private key of the CA to verify that a certificate 
signed by the CA is valid. Note that different devices can 

10 hold certificates from different CAs. In that case, the dif- 
ferent CAs must perform some communication with one another, 
for example exchange their own public keys. Certificates are 
well known for those skilled in the art, and a well known 
standard certificate are the certificate contained in the 

15 CCITT recommendation X.509. 

Fig. 3 shows a flowchart of the procedure followed at 
boot of the ASIC 101, and a detailed description thereof 
will be provided in the following. A protected application 
is used to load the OS kernel into the ASIC during system 

20 boot (not shown in Fig. 3). When loading the kernel, the 

protected application checks the integrity and encrypts the 
program code that forms the kernel . Subsequently, during 
kernel code execution, the kernel program code is decrypted 
in the secure execution environment 104, and checks are made 

25 that the integrity codes associated with the kernel code are 
correct. Typically, with regards to encryption operations on 
program code and calculation of corresponding integrity 
codes, protected applications are used at the time of 
boot. During normal execution, hardware in the secure execu- 

3 0 tion environment takes care of decryption and integrity 

verification. Note that in the drawings, data in the form of 
program code is employed to illustrate the teachings of the 
present invention. A man skilled in the art realizes that 
data in any appropriate form may be used, and hence the term 

3 5 "data" should not be limited to mean "program code" . 
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When the OS is loaded into the ASIC 101, and the ASIC 
hence is provided with basic functions required to operate 
correctly, program code is read (at step 3 01, denoted by 
"S301") from permanent memory 112 to, subsequently, be writ- 
5 ten into temporary memory 110, from which temporary memory 
the program code will be executed. The integrity of this 
program code must be verified (S302) to ensure that the pro- 
gram code has not been altered during the transmission from 
the NAND 112 to the RAM 110. This type of security critical 

10 operations is performed by the CPU 103 in the secure execu- 
tion environment 104. At device boot, the CPU generates 
(S3 03) a new secret key in the secure execution environment 
104, and uses this key to encrypt (S3 04) the verified pro- 
gram code in order to ensure that the program code is kept 

15 secret during the transmission (S305) of the encrypted pro- 
gram code to the RAM 110. For processing operations like 
these, which require a high level of security, the secure 
operation mode of the processor 103 is set. 

It should be noted that, for the provision of a high 

20 security level in the ASIC 101, a plurality of new secret 
keys is generated at boot. Each new secret key can be em- 
ployed to encrypt a respective subset of the program code. 
Hence, different secret keys may be used to encrypt differ- 
ent parts of the program code. As will be appreciated from 

25 the following description, the generation of a plurality of 
new secret keys is particularly advantageous when integrity 
codes are to provided for the program code that is to be 
stored . 

Fig. 4 shows a further embodiment of the present inven- 
3 0 tion, in which the program code that is read from permanent 
storage further is authenticated (S404) to ensure that the 
program code originates from a trusted program code pro- 
vider. This is an additional security feature as compared 
with the embodiment described in connection to Fig. 3. The 
35 fact that authentication is undertaken implies that the pro- 
gram code has been provided with some authentication means, 
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e.g. that it has been encrypted with a symmetric key known 
by the trusted provided and the ASIC 101, or provided with a 
digital signature . 

To further improve the security level of the device, 
5 integrity codes may be used in the ASIC 101. It is known in 
the art to employ e.g. checksums or message authentication 
codes (MAC) for this purpose. An embodiment of the present 
invention deals with the calculation of integrity codes for 
program code, and a flowchart thereof is shown in Fig. 5. 

10 This flowchart can be seen as an extension of the flowcharts 
of Fig. 3 and 4. When new secret keys have been generated 
(S504) , a MAC is calculated for the program code which is to 
be stored in RAM 110. The MAC is calculated (S505) as a 
function of the program code for which integrity is to be 

15 provided and a generated new secret key. A commonly used 

MAC, or cryptographic checksum, is the Data Authentication 
Algorithm based on the Data Encryption Standard (DES) algo- 
rithm. 

In practice, one MAC is calculated for each sequence of 

2 0 program code that is to be written into temporary memory. 

This means that if the external memory is accessed in groups 
of 32-bit words, a MAC is calculated for each 32-bit word of 
program code. Therefore, as previously mentioned, a plural- 
ity of new secret keys is generated at boot, and a respec- 

25 tive new key is employed for the calculation of each MAC. 

When the program code is written into the RAM 110, the asso- 
ciated MAC is preferably stored (S506) into integrity pro- 
tection storage 110 that is located inside the device. 

In Fig. 6, it is illustrated that when the program code 

30 is to be executed, the CPU 103 (or the DSP 102) reads (S601) 
it from the memory 110 in which it is stored. The CPU veri- 
fies (S602) the correctness of the MAC, i.e. it is checked 
that the program code has not been modified. If an incorrect 
MAC is found, the CPU should stop operation (S603) to pre- 

35 vent a possibly modified program code from harming the ASIC 
101. 
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As previously discussed, the processor 103 operates in 
two different execution modes: normal execution mode and se- 
cure execution mode, where the secure mode has precedence 
over the normal mode. In addition to these two execution 
5 modes, two program modes exist, namely "user mode" and "su- 
pervisor mode" , where the supervisor mode has precedence 
over the user mode. In brief, user mode generally involves 
execution of user programs and supervisor mode involves exe- 
cution of OS kernel programs. Typically, kernel programs in- 

10 elude interrupt handlers, schedulers that determine which 

programs share processing time of the kernel and in what or- 
der, and a supervisor that gives each process use of the 
processor when the respective process is scheduled. These 
kernel programs are, as their names suggest, the very core 

15 of the device software. These kernel programs are considered 
highly security critical and are run in the supervisor mode 
of the secure execution mode. Protected applications such as 
the boot program are also considered highly security criti- 
cal, but they are run in the user mode of the secure execu- 

20 tion mode, such that they cannot compromise kernel func- 
tions, as could be the case if they are run in the supervi- 
sor mode . 

The user mode and the supervisor mode will not be fur- 
ther described, as these are not essential for the under- 

2 5 standing of the invention. However, it should be understood 

that cryptographic operations require processing power, and 
should not be performed without due cause. Moreover, storing 
integrity codes is expensive, as it requires additional mem- 
ory. Consequently, trade-offs between device security and 
30 device costs must be made. If choices must be made whether 
certain types of program code is to be cryptographically 
process and other types not, this is the order of priority: 

supervisor mode programs in secure execution 

mode (highest priority) ,- 

3 5 - user mode programs in secure execution mode; 
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supervisor mode programs in normal execution 
mode ; 

user mode programs in normal execution mode 

(lowest priority) . 
Note that the skilled man realizes that the hardware com- 
prised in the present invention typically executes appropri- 
ate software to perform the steps as described in connection 
to Fig. 3-6. 

Even though the invention has been described with ref- 
erence to specific exemplifying embodiments thereof, many 
different alterations, modifications and the like will be- 
come apparent for those skilled in the art. The described 
embodiments are therefore not intended to limit the scope of 
the invention, as defined by the appended claims. 
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